Cyber crime has a bright future because the engineers responsible for the technology of the Internet have largely ignored the human element. We will review the history of the Internet briefly to see why have ended up in the present situation. We will look at a number of case studies into cyber crime, such as the DigiNotar case, but also more mundane offences like laptop theft. To conclude we suggest how the principles of situational crime prevention that have been shown to be successful in the prevention of “traditional” crime could be applied to cyber crime.

Queensland, 2000, 46 times!

2011

I will make more precise later what I mean by the human element To understand how we got into this let’s review the history of the Internet Life is easy for the cyber criminal You can commit a cyber crime yourself Examples from our research and from other Gloss over many important issues Once upon a time

Researchers trying to do better research with the help of the Internet

Issues but they could all be dealt with by the family using the rules of the net etiquette

Many innovative services thanks to the design philosophy No security still

Self management by netiquette broke down

Backstitching security technology is costly But there is a bigger problem

Offender does not follow the rules Rational person maximizing his profits and minimizing his efforts This is the human element!

Back to the human element So Internet security will remain an oxymoron for as long as network and security engineers focus on the technology, and ignore the human element.

Forthcoming thesis of Trajce Dimkov

James Heckman Nobel prize Economics 2000

motivated offender meets a suitable target in the absence of capable guardians motivated offender acts rationally but has limited time and knowledge to make optimal decisions.

16.
Results  Social engineering works  30 out of 47 attempts with social engineering succeeded  1 out of 15 attempts without social engineering succeeded  Managers more likely to prevent attack than the target  Offender masquerading as ICT staff twice as likely to be successful[Dim12] T. Dimkov, Alignment of Organizational Security Policies -- Theory and Practice.PhD thesis, University of Twente, http://dx.doi.org/10.3990/1.9789036533317 16

18.
CertificateThe bindingof a public keyand an identitysigned by acertificationauthority 18

19.
What went wrong? No anti virus and weak passwords Offenders hacked the system and issued rogue certificates DigiNotar has been hacked before (2009) No backup certificates False certificates still accepted by browsers that have not been patched... DigiNotar now bankrupt. 19

20.
How to deal with the human element?  Focus on the offender  Focus on the offence[Fel10a] M. Felson. What every mathematician should know about modelling crime.European J. of Applied Mathematics, 21(Special Double Issue 4-5):275-281, 2010.http://dx.doi.org/10.1017/S0956792510000070 20

22.
Situational crime prevention focuses on the offence1. A theoretical foundation.2. A standard methodology based on action research.3. A set of opportunity-reducing techniques.4. A body of evaluated practice including studies of displacement. 22

24.
2. Methodology: Action Research1. collection of data about the nature of problem2. analysis of the situational conditions3. systematic study of means of blocking opportunities4. implementation of the most promising means5. monitoring of results and dissemination of experience. First car theft 4 index published 5 2,3# of 1VehiclesStolen Years 24

25.
3. A set of opportunity-reducing techniques. http://www.popcenter.org/25techniques/ 25

32.
Good but could be better On day 0 about 50% of participants fell  Constant across demographic  Control group remains constant  Single training reduces clicks  Multiple training reduces clicks more Unfortunately:  Participants were self selected...  No indication that this reduces crime... 32

33.
5. Control weapons and toolsIs it a good idea to: Is it a good idea to: Let people surf the Internet  Let people drive on the road without a license ? without a license ? Allow manufacturers to sell the  Allow manufacturers to sell the anti-virus of a PC as an optional brakes of a car as an optional extra ? extra ? Expect people to maintain their  Expect people to maintain their own anti-virus, fire wall, OS ? own car ?

34.
An idea that we would like to test1. User pays the ISP an “Insurance” premium2. Security vendor serves the user with updates3. Security vendor notifies an ISP when user does not update4. ISP ensures that non-compliant user does not endanger others5. ISP remunerates vendor6. Government controls ISPs and vendors